Project 7: Rails Security

Due: Wednesday, February 25, 2009

After spending your youth pillaging and plundering the denizens of the web using your mad skillz, the time has come for you to grow up. It is now time for you to retire from your wild exploits, and redeem yourself in the eyes of the world. You decide to put your skills (yes skills, not skillz) to good use and become an up and coming web security consultant.

Light has offered you a chance to take a step towards redemption by securing his friend's hand rolled blogging software. Help his friend out: find and fix XSS and SQL Injection vulnerabilities in Simple Blog.

proj7 and proj7fix have exactly the same code right now, and they share the same database. You should use the proj7 copy to test that your exploits work. You should put your fixes to the vulnerabilities listed below in proj7fix.

Part 1: Simple XSS

Find the simple XSS vulnerability. This XSS vulnerability
is "simple" because the vulnerable input field has no input filtering
whatsoever.

Use the XSS vulnerability to e-mail yourself the victim's
cookie when the victim
is logged in.

Link to the email script you should use is included on the Simple Blog home page.

Put the text you use to exploit the vulnerable field in 1.txt.

Fix the vulnerability in Simple Blog in your proj7fix copy.

Part 2: More Sophisticated XSS

Find the harder-to-exploit XSS vulnerability. This XSS
vulnerability is harder to exploit because the input field has some
input filtering.

Exploit the XSS vulnerability using an iframe and then using an embedded image/svg+xml.

Put the text you submit into the vulnerable
field in 2iframe.txt and 2embed.txt.

Why can't you alert the cookie easily when you exploit the XSS using embed image/svg+xml? Put your answer in 2q.txt.

Fix the vulnerabilities by removing customizations in config/environment.rb in your proj7fix copy.

Part 3: SQL Injection

Find the SQL Injection vulnerability. This SQL injection
vulnerability can be exploited by crafting the right URL.

Use UNION ALL to list all the
usernames and passwords registered in Simple Blog.

Even though Firefox will let you get away without URL
encoding the value of the GET parameter, you should do so. Otherwise your URL is not a valid URL by web standard. Put the URL-encoded exploit in
3.txt.

Fix the SQL Injection vulnerability in Simple Blog.

Additional Requirements, Hints, etc.

You must work alone for this project. You may
discuss
general approaches with other people, and you may ask for help
if you get stuck, but you must write your own exploits and fixes.

Read the following page about handling
SQL injection and XSS in Rails. There is only one slight
mistake in the page: the SQL injection vulnerability noted on the page
cannot be used to drop tables. Rails does not let you submit more than
one SQL query using any method of ActiveRecords.

You can edit and remove posts in Simple Blog directly through the database.

If you cannot find the vulnerabilities mentioned above, you should pay particular attention to
the input filtering, or lack thereof, in our code.

All the fixes are supposed to be very simple. The point is
to show you a few ways you might trip up when coding in Rails. If you
have a hard time writing fixes, please let us know. You are likely
going down the wrong path.

Challenge Problem 1: More Vulnerabilities

We may well have overlooked other web application vulnerabilities, such as XSS, CSRF, or SQL Injection. Please report them to us. We will acknowledge your contribution here and in all future distribution of the project.

Deliverables

Use the
standard class submission
mechanism
to submit a README file and your answers in 1.txt, 2iframe.txt, 2embed.txt, 2q.txt, and 3.txt and your entire proj7fix
directory and
its
descendants, with all the above vulnerabilities patched.

Please
indicate in the README file whether you developed
on Windows or a Macintosh. We may need this information in order to
test your solution. Please also include how much time you spent on each part and how hard it was for you (too easy, easy, good, hard, too hard). Feel free to add any feedback you have on the assignment, and any other things you need to tell us about your assignment that will help us improve it.